CVE-2026-58492
getgrav · grav
The grav-plugin-database for Grav CMS is vulnerable to SQL injection via the PDO::tableExists method due to improper input sanitization.
Executive summary
A critical SQL injection vulnerability in the Grav CMS database plugin allows unauthorized attackers to execute arbitrary SQL commands against the backend database.
Vulnerability
The plugin fails to sanitize the table argument in the PDO::tableExists method before interpolating it into a raw SQL query. This allows an attacker to inject arbitrary SQL commands, resulting in unauthorized database interaction.
Business impact
Successful exploitation of this SQL injection vulnerability could lead to the complete exposure of sensitive site data, unauthorized modification of records, or potential administrative account takeover. With a CVSS score of 9.2, the vulnerability poses a high risk to the confidentiality and integrity of the CMS-managed data.
Remediation
Immediate Action: Update the grav-plugin-database to version 1.2.0 or later to resolve the SQL injection flaw.
Proactive Monitoring: Monitor database query logs for suspicious patterns, such as unexpected table enumeration or syntax errors indicative of SQL injection attempts.
Compensating Controls: Deploy a Web Application Firewall (WAF) with SQL injection detection capabilities to block malicious payloads targeting the database plugin.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the critical nature of SQL injection vulnerabilities, immediate application of the provided patch is essential. Organizations should update the plugin and perform a security audit of the database to ensure no unauthorized modifications have occurred prior to the update.